Researcher: iLker Kandemir
Ref: BUGTRAQ SchoolBoard (admin.php) Remote Login Bypass SQL Injection
Vulnerability
http://www.securityfocus.com/archive/1/archive/1/467486/100/0/threaded
1. The quoted source code doesn't show anything related to SQL
queries, although they are used.
2. There's no 'username' ANYWHERE in the entire distribution.
3. "pass" and "password" are not used in any queries, at least in
admin.php. They are barely used at all in the entire distribution.
- Steve